Question

我一直在尝试通过关注他们的文档将图片/视频上传到s3。但是，经过多次尝试，我只是不断获得Access Denied错误。

我已在其UnAuth角色中为s3：*访问设置了一个认知池。但问题是我无法从iOS设备上工作。我使用AWSTransferManager来创建上传功能，但这是我得到的响应：

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message> 
<RequestId>DEE11EF134B50C8D</RequestId><HostId>/+qV8CLvPZHi4lIAHrVnKf1sDmWFcFS1dcfMX5XG0yfPG/TIASBfo/T5aGZRZg77wdn7siOrRVc=</HostId></Error>
Upload failed with error: (The operation couldn’t be completed. (com.amazonaws.AWSServiceErrorDomain error 11.))

广告管理政策 - ：

{
    "Version": "2012-10-17",
    "Id": "Policy1460611228663",
    "Statement": [
        {
            "Sid": "Stmt1460611220793",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MY_ACCOUNT_ID:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::MY_BUCKET_NAME/*"
        }
    ]
}

IAM UnAuth角色政策 - ：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

我被困在这里。请说明我做错了什么？

let accK = "myaccesskey"
let secretK = "mysecretkey"
let credentialsProvider = AWSStaticCredentialsProvider(accessKey: accK, secretKey: secretK)
let configuration = AWSServiceConfiguration(region: AwsRegion, credentialsProvider: credentialsProvider)
AWSS3TransferManager.register(with: configuration!, forKey: "mys3")

Answer 1

配置了标识池和IAM策略，以便标识池的unauth角色可以访问该存储桶，以下代码应该可以使用

//Setup credentials
let credentialProvider = AWSCognitoCredentialsProvider(regionType: YOUR-IDENTITY-POOL-REGION, identityPoolId: "YOUR-IDENTITY-POOL-ID")

//Setup the service configuration
let configuration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: credentialProvider)

//Setup the transfer utility configuration
let tuConf = AWSS3TransferUtilityConfiguration()

//Register a transfer utility object
AWSS3TransferUtility.register(
with: configuration!,
transferUtilityConfiguration: tuConf,
forKey: "transfer-utility-with-advanced-options"
)

//Look up the transfer utility object from the registry to use for your transfers.
let transferUtility = AWSS3TransferUtility.s3TransferUtility(forKey: "transfer-utility-with-advanced-options")


transferUtility.uploadData(
        testData,
        bucket: "BUCKET",
        key: "KEY",
        contentType: "video/mp4",
        expression: uploadExpression,
        completionHandler: uploadCompletionHandler
        ).continueWith (block: { (task) -> AnyObject? in
            XCTAssertNil(task.error)

            return nil
    })

请查看我之前发布的链接以获取更多信息。

Answer 2

使用访问密钥和密钥是一种方法。另一种方法是设置Cognito Identity池并从中获取临时的，短暂的凭据以访问存储桶。这将是一种更安全的方式，也是我们推荐的最佳做法。

创建Cognito标识池时，它会自动创建2个角色，即＆＃34; auth＆＃34; ＆＃34; unauth＆＃34;角色。这是一种便利机制，因为许多移动应用程序都具有登录用户和匿名用户（尚未登录的用户）的概念。典型的例子是您可以用来搜索和浏览的电子商务应用程序，只需登录即可添加到购物车/进行购买。

您可以设置＆＃34; auth＆＃34;或者＆＃34; unauth＆＃34;或者两个角色（取决于您的方案）拥有对存储桶的权限，这将使您能够通过应用程序访问存储桶。有关详细信息，请参阅https://docs.aws.amazon.com/aws-mobile/latest/developerguide/how-to-integrate-an-existing-bucket.html。

此外，我建议您使用TransferUtility而不是TransferManager进行S3上传/下载。

从iOS设备

2 个答案: